Home

Results 1 to 3 of 3

Thread: New User with questions abot sspr and forgotten password sce

Hybrid View

  1. #1
    rreid NNTP User

    New User with questions abot sspr and forgotten password sce


    We are running an IDM User Application that services internal employees
    as well as external clients and does a very good job in letting us
    partition pages etc affording to base DN.

    In implementing the new SSPR is here a way to configure the app to have
    one set of users (external clients) not be required to set or answer
    challenge responses and receive e-mail tokens for changing a forgotten
    password but also in the same application, have internal users be
    required to set up and answer challenge responses for resetting a
    forgotten password? You can set different base DNs or profiles to apply
    to some of the modules but forgotten password doesn't seem to have the
    capability to provide a different mechanism for a different set of
    users.

    If this is not possible to do:

    1- can you run multiple instances of sspr under the same tomcat
    instance? (IE renaming the war file and deploying)
    2- Even if you have multiple instances how do you handle the Forgot
    Password link on the login form for the Userapp? How would you send
    internal users to one sspr instance and external users to another?

    Thanks for any insight that can be given.


    --
    rreid
    ------------------------------------------------------------------------
    rreid's Profile: https://forums.netiq.com/member.php?userid=396
    View this thread: https://forums.netiq.com/showthread.php?t=53338


  2. #2
    ab NNTP User

    Re: New User with questions abot sspr and forgotten password sce

    On 04/16/2015 08:50 PM, rreid wrote:
    >
    > We are running an IDM User Application that services internal employees
    > as well as external clients and does a very good job in letting us
    > partition pages etc affording to base DN.
    >
    > In implementing the new SSPR is here a way to configure the app to have
    > one set of users (external clients) not be required to set or answer
    > challenge responses and receive e-mail tokens for changing a forgotten
    > password but also in the same application, have internal users be
    > required to set up and answer challenge responses for resetting a
    > forgotten password? You can set different base DNs or profiles to apply
    > to some of the modules but forgotten password doesn't seem to have the
    > capability to provide a different mechanism for a different set of
    > users.
    >
    > If this is not possible to do:


    If your backend is eDirectory you could probably do this pretty easily by
    using different password policies for each set of users . Even if the
    password policies were identical in their settings (complexity, length,
    history, etc.) they could link to different challenge set objects which
    control what users do in terms of challenge/response, if anything (on
    policy could use that functionality while another dose not). Policies are
    applied, potentially, per-user (at their most-granular, though that's not
    the norm) so you can be very flexible there.

    If you are stuck with something like microsoft active directory (MAD) I'm
    not sure what you can do in terms of this since the challenge response
    stuff is all part of eDirectory or SSPR.

    > 1- can you run multiple instances of sspr under the same tomcat
    > instance? (IE renaming the war file and deploying)


    Sure.

    > 2- Even if you have multiple instances how do you handle the Forgot
    > Password link on the login form for the Userapp? How would you send
    > internal users to one sspr instance and external users to another?


    How do you send all users to SSPR today? Presumably e-mail when they sign
    up, or word of mouth, or an organizational handbook for employees, etc.
    Same thing, but now you'll need to modify that method per type of user.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Oct 2007
    Posts
    69

    Re: New User with questions abot sspr and forgotten password sce


    ab;256470 Wrote:
    > On 04/16/2015 08:50 PM, rreid wrote:
    > >
    > > We are running an IDM User Application that services internal

    > employees
    > > as well as external clients and does a very good job in letting us
    > > partition pages etc affording to base DN.
    > >
    > > In implementing the new SSPR is here a way to configure the app to

    > have
    > > one set of users (external clients) not be required to set or answer
    > > challenge responses and receive e-mail tokens for changing a

    > forgotten
    > > password but also in the same application, have internal users be
    > > required to set up and answer challenge responses for resetting a
    > > forgotten password? You can set different base DNs or profiles to

    > apply
    > > to some of the modules but forgotten password doesn't seem to have

    > the
    > > capability to provide a different mechanism for a different set of
    > > users.
    > >
    > > If this is not possible to do:

    >
    > If your backend is eDirectory you could probably do this pretty easily
    > by
    > using different password policies for each set of users . Even if the
    > password policies were identical in their settings (complexity, length,
    > history, etc.) they could link to different challenge set objects which
    > control what users do in terms of challenge/response, if anything (on
    > policy could use that functionality while another dose not). Policies
    > are
    > applied, potentially, per-user (at their most-granular, though that's
    > not
    > the norm) so you can be very flexible there.
    >
    > If you are stuck with something like microsoft active directory (MAD)
    > I'm
    > not sure what you can do in terms of this since the challenge response
    > stuff is all part of eDirectory or SSPR.


    Thanks for the reply. We are running with eDirectory on the backed. We
    have been using IDM for 12+ years so we are well aware of the password
    policies etc within eDirectory and already have applied different
    policies to our internal and external users.

    The issue is with the forgotten password mechanism. We don't want to
    require our external users (clients) to have to set up challenge
    responses. We simply want to have them be able to request to have a new
    password sent to their email address through sspr. This works great.
    At the same time though, we can't use that same process with internal
    users because if they forgot their password, they can't get into their
    e-mail to get the new one or verify the token. I have not found
    anywhere in sspr where I can assign a different method of handling the
    forgotten password per group of users whether by ldap search or baseDN.
    It's all or nothing. I can indeed assign different password policies
    and even different challenge response profiles but I haven't figured out
    how to require internal users to go through answering the responses and
    external users to have a token e-mailed to them.

    >
    > > 1- can you run multiple instances of sspr under the same tomcat
    > > instance? (IE renaming the war file and deploying)

    >
    > Sure.
    >
    > > 2- Even if you have multiple instances how do you handle the Forgot
    > > Password link on the login form for the Userapp? How would you send
    > > internal users to one sspr instance and external users to another?

    >
    >
    > How do you send all users to SSPR today? Presumably e-mail when they
    > sign
    > up, or word of mouth, or an organizational handbook for employees, etc.
    > Same thing, but now you'll need to modify that method per type of user.


    What I meant is how I redirect them to the appropriate instance of 2
    sspr applications from the same "Forgot Password" link on the Userapp
    Login page? This userapp is used for internal and external users.
    Since the users haven't authenticated yet, I have no way to redirect
    internal users to one sspr instance and external users/clients to
    another. I could create a custom page and have them enter their e-mail
    address and then redirect to the appropriate sspr but then they would
    have to re-enter their email address to go through the forgotten
    password process.

    Thoughts?


    --
    rreid
    ------------------------------------------------------------------------
    rreid's Profile: https://forums.netiq.com/member.php?userid=396
    View this thread: https://forums.netiq.com/showthread.php?t=53338


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •